4 from scapy.layers.inet import IP, ICMP, TCP, UDP
5 from scapy.layers.ipsec import SecurityAssociation
6 from scapy.layers.l2 import Ether, Raw
7 from scapy.layers.inet6 import IPv6, ICMPv6EchoRequest
9 from framework import VppTestCase, VppTestRunner
10 from util import ppp, reassemble4
11 from vpp_papi import VppEnum
14 class IPsecIPv4Params(object):
16 addr_type = socket.AF_INET
18 addr_bcast = "255.255.255.255"
23 self.remote_tun_if_host = '1.1.1.1'
24 self.remote_tun_if_host6 = '1111::1'
26 self.scapy_tun_sa_id = 10
27 self.scapy_tun_spi = 1001
28 self.vpp_tun_sa_id = 20
29 self.vpp_tun_spi = 1000
31 self.scapy_tra_sa_id = 30
32 self.scapy_tra_spi = 2001
33 self.vpp_tra_sa_id = 40
34 self.vpp_tra_spi = 2000
36 self.auth_algo_vpp_id = (VppEnum.vl_api_ipsec_integ_alg_t.
37 IPSEC_API_INTEG_ALG_SHA1_96)
38 self.auth_algo = 'HMAC-SHA1-96' # scapy name
39 self.auth_key = 'C91KUR9GYMm5GfkEvNjX'
41 self.crypt_algo_vpp_id = (VppEnum.vl_api_ipsec_crypto_alg_t.
42 IPSEC_API_CRYPTO_ALG_AES_CBC_128)
43 self.crypt_algo = 'AES-CBC' # scapy name
44 self.crypt_key = 'JPjyOWBeVEQiMe7h'
46 self.nat_header = None
49 class IPsecIPv6Params(object):
51 addr_type = socket.AF_INET6
53 addr_bcast = "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"
58 self.remote_tun_if_host = '1111:1111:1111:1111:1111:1111:1111:1111'
59 self.remote_tun_if_host4 = '1.1.1.1'
61 self.scapy_tun_sa_id = 50
62 self.scapy_tun_spi = 3001
63 self.vpp_tun_sa_id = 60
64 self.vpp_tun_spi = 3000
66 self.scapy_tra_sa_id = 70
67 self.scapy_tra_spi = 4001
68 self.vpp_tra_sa_id = 80
69 self.vpp_tra_spi = 4000
71 self.auth_algo_vpp_id = (VppEnum.vl_api_ipsec_integ_alg_t.
72 IPSEC_API_INTEG_ALG_SHA1_96)
73 self.auth_algo = 'HMAC-SHA1-96' # scapy name
74 self.auth_key = 'C91KUR9GYMm5GfkEvNjX'
76 self.crypt_algo_vpp_id = (VppEnum.vl_api_ipsec_crypto_alg_t.
77 IPSEC_API_CRYPTO_ALG_AES_CBC_256)
78 self.crypt_algo = 'AES-CBC' # scapy name
79 self.crypt_key = 'JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h'
81 self.nat_header = None
84 def config_tun_params(p, encryption_type, tun_if):
85 ip_class_by_addr_type = {socket.AF_INET: IP, socket.AF_INET6: IPv6}
86 use_esn = bool(p.flags & (VppEnum.vl_api_ipsec_sad_flags_t.
87 IPSEC_API_SAD_FLAG_USE_ESN))
88 p.scapy_tun_sa = SecurityAssociation(
89 encryption_type, spi=p.vpp_tun_spi,
90 crypt_algo=p.crypt_algo, crypt_key=p.crypt_key,
91 auth_algo=p.auth_algo, auth_key=p.auth_key,
92 tunnel_header=ip_class_by_addr_type[p.addr_type](
93 src=tun_if.remote_addr[p.addr_type],
94 dst=tun_if.local_addr[p.addr_type]),
95 nat_t_header=p.nat_header,
97 p.vpp_tun_sa = SecurityAssociation(
98 encryption_type, spi=p.scapy_tun_spi,
99 crypt_algo=p.crypt_algo, crypt_key=p.crypt_key,
100 auth_algo=p.auth_algo, auth_key=p.auth_key,
101 tunnel_header=ip_class_by_addr_type[p.addr_type](
102 dst=tun_if.remote_addr[p.addr_type],
103 src=tun_if.local_addr[p.addr_type]),
104 nat_t_header=p.nat_header,
108 def config_tra_params(p, encryption_type):
109 use_esn = p.flags & (VppEnum.vl_api_ipsec_sad_flags_t.
110 IPSEC_API_SAD_FLAG_USE_ESN)
111 p.scapy_tra_sa = SecurityAssociation(
114 crypt_algo=p.crypt_algo,
115 crypt_key=p.crypt_key,
116 auth_algo=p.auth_algo,
118 nat_t_header=p.nat_header,
120 p.vpp_tra_sa = SecurityAssociation(
123 crypt_algo=p.crypt_algo,
124 crypt_key=p.crypt_key,
125 auth_algo=p.auth_algo,
127 nat_t_header=p.nat_header,
131 class TemplateIpsec(VppTestCase):
136 |tra_if| <-------> |VPP|
141 ------ encrypt --- plain ---
142 |tun_if| <------- |VPP| <------ |pg1|
145 ------ decrypt --- plain ---
146 |tun_if| -------> |VPP| ------> |pg1|
150 def ipsec_select_backend(self):
151 """ empty method to be overloaded when necessary """
156 super(TemplateIpsec, cls).setUpClass()
159 def tearDownClass(cls):
160 super(TemplateIpsec, cls).tearDownClass()
163 super(TemplateIpsec, self).setUp()
165 def setup_params(self):
166 self.ipv4_params = IPsecIPv4Params()
167 self.ipv6_params = IPsecIPv6Params()
168 self.params = {self.ipv4_params.addr_type: self.ipv4_params,
169 self.ipv6_params.addr_type: self.ipv6_params}
172 super(TemplateIpsec, self).setUp()
179 self.vpp_esp_protocol = (VppEnum.vl_api_ipsec_proto_t.
181 self.vpp_ah_protocol = (VppEnum.vl_api_ipsec_proto_t.
184 self.create_pg_interfaces(range(3))
185 self.interfaces = list(self.pg_interfaces)
186 for i in self.interfaces:
192 self.ipsec_select_backend()
195 super(TemplateIpsec, self).tearDown()
197 for i in self.interfaces:
202 if not self.vpp_dead:
203 self.vapi.cli("show hardware")
205 def gen_encrypt_pkts(self, sa, sw_intf, src, dst, count=1,
207 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
208 sa.encrypt(IP(src=src, dst=dst) /
209 ICMP() / Raw('X' * payload_size))
210 for i in range(count)]
212 def gen_encrypt_pkts6(self, sa, sw_intf, src, dst, count=1,
214 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
215 sa.encrypt(IPv6(src=src, dst=dst) /
216 ICMPv6EchoRequest(id=0, seq=1,
217 data='X' * payload_size))
218 for i in range(count)]
220 def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=54):
221 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
222 IP(src=src, dst=dst) / ICMP() / Raw('X' * payload_size)
223 for i in range(count)]
225 def gen_pkts6(self, sw_intf, src, dst, count=1, payload_size=54):
226 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
227 IPv6(src=src, dst=dst) /
228 ICMPv6EchoRequest(id=0, seq=1, data='X' * payload_size)
229 for i in range(count)]
232 class IpsecTcpTests(object):
233 def test_tcp_checksum(self):
234 """ verify checksum correctness for vpp generated packets """
235 self.vapi.cli("test http server")
236 p = self.params[socket.AF_INET]
237 config_tun_params(p, self.encryption_type, self.tun_if)
238 send = (Ether(src=self.tun_if.remote_mac, dst=self.tun_if.local_mac) /
239 p.scapy_tun_sa.encrypt(IP(src=p.remote_tun_if_host,
240 dst=self.tun_if.local_ip4) /
241 TCP(flags='S', dport=80)))
242 self.logger.debug(ppp("Sending packet:", send))
243 recv = self.send_and_expect(self.tun_if, [send], self.tun_if)
245 decrypted = p.vpp_tun_sa.decrypt(recv[IP])
246 self.assert_packet_checksums_valid(decrypted)
249 class IpsecTra4Tests(object):
250 def test_tra_anti_replay(self, count=1):
251 """ ipsec v4 transport anti-reply test """
252 p = self.params[socket.AF_INET]
253 use_esn = p.vpp_tra_sa.use_esn
255 # fire in a packet with seq number 1
256 pkt = (Ether(src=self.tra_if.remote_mac,
257 dst=self.tra_if.local_mac) /
258 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
259 dst=self.tra_if.local_ip4) /
262 recv_pkts = self.send_and_expect(self.tra_if, [pkt], self.tra_if)
264 # now move the window over to 235
265 pkt = (Ether(src=self.tra_if.remote_mac,
266 dst=self.tra_if.local_mac) /
267 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
268 dst=self.tra_if.local_ip4) /
271 recv_pkts = self.send_and_expect(self.tra_if, [pkt], self.tra_if)
273 # replayed packets are dropped
274 self.send_and_assert_no_replies(self.tra_if, pkt * 3)
275 self.assert_packet_counter_equal(
276 '/err/%s/SA replayed packet' % self.tra4_decrypt_node_name, 3)
278 # the window size is 64 packets
279 # in window are still accepted
280 pkt = (Ether(src=self.tra_if.remote_mac,
281 dst=self.tra_if.local_mac) /
282 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
283 dst=self.tra_if.local_ip4) /
286 recv_pkts = self.send_and_expect(self.tra_if, [pkt], self.tra_if)
288 # a packet that does not decrypt does not move the window forward
289 bogus_sa = SecurityAssociation(self.encryption_type,
291 pkt = (Ether(src=self.tra_if.remote_mac,
292 dst=self.tra_if.local_mac) /
293 bogus_sa.encrypt(IP(src=self.tra_if.remote_ip4,
294 dst=self.tra_if.local_ip4) /
297 self.send_and_assert_no_replies(self.tra_if, pkt * 17)
299 self.assert_packet_counter_equal(
300 '/err/%s/Integrity check failed' % self.tra4_decrypt_node_name, 17)
302 # which we can determine since this packet is still in the window
303 pkt = (Ether(src=self.tra_if.remote_mac,
304 dst=self.tra_if.local_mac) /
305 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
306 dst=self.tra_if.local_ip4) /
309 self.send_and_expect(self.tra_if, [pkt], self.tra_if)
311 # out of window are dropped
312 pkt = (Ether(src=self.tra_if.remote_mac,
313 dst=self.tra_if.local_mac) /
314 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
315 dst=self.tra_if.local_ip4) /
318 self.send_and_assert_no_replies(self.tra_if, pkt * 17)
321 # an out of window error with ESN looks like a high sequence
322 # wrap. but since it isn't then the verify will fail.
323 self.assert_packet_counter_equal(
324 '/err/%s/Integrity check failed' %
325 self.tra4_decrypt_node_name, 34)
328 self.assert_packet_counter_equal(
329 '/err/%s/SA replayed packet' %
330 self.tra4_decrypt_node_name, 20)
332 # valid packet moves the window over to 236
333 pkt = (Ether(src=self.tra_if.remote_mac,
334 dst=self.tra_if.local_mac) /
335 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
336 dst=self.tra_if.local_ip4) /
339 rx = self.send_and_expect(self.tra_if, [pkt], self.tra_if)
340 decrypted = p.vpp_tra_sa.decrypt(rx[0][IP])
342 # move VPP's SA to just before the seq-number wrap
343 self.vapi.cli("test ipsec sa %d seq 0xffffffff" % p.scapy_tra_sa_id)
345 # then fire in a packet that VPP should drop because it causes the
346 # seq number to wrap unless we're using extended.
347 pkt = (Ether(src=self.tra_if.remote_mac,
348 dst=self.tra_if.local_mac) /
349 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
350 dst=self.tra_if.local_ip4) /
355 rx = self.send_and_expect(self.tra_if, [pkt], self.tra_if)
356 # in order to decrpyt the high order number needs to wrap
357 p.vpp_tra_sa.seq_num = 0x100000000
358 decrypted = p.vpp_tra_sa.decrypt(rx[0][IP])
360 # send packets with high bits set
361 p.scapy_tra_sa.seq_num = 0x100000005
362 pkt = (Ether(src=self.tra_if.remote_mac,
363 dst=self.tra_if.local_mac) /
364 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
365 dst=self.tra_if.local_ip4) /
367 seq_num=0x100000005))
368 rx = self.send_and_expect(self.tra_if, [pkt], self.tra_if)
369 # in order to decrpyt the high order number needs to wrap
370 decrypted = p.vpp_tra_sa.decrypt(rx[0][IP])
372 self.send_and_assert_no_replies(self.tra_if, [pkt])
373 self.assert_packet_counter_equal(
374 '/err/%s/sequence number cycled' %
375 self.tra4_encrypt_node_name, 1)
377 # move the security-associations seq number on to the last we used
378 self.vapi.cli("test ipsec sa %d seq 0x15f" % p.scapy_tra_sa_id)
379 p.scapy_tra_sa.seq_num = 351
380 p.vpp_tra_sa.seq_num = 351
382 def test_tra_basic(self, count=1):
383 """ ipsec v4 transport basic test """
384 self.vapi.cli("clear errors")
386 p = self.params[socket.AF_INET]
387 send_pkts = self.gen_encrypt_pkts(p.scapy_tra_sa, self.tra_if,
388 src=self.tra_if.remote_ip4,
389 dst=self.tra_if.local_ip4,
391 recv_pkts = self.send_and_expect(self.tra_if, send_pkts,
395 decrypted = p.vpp_tra_sa.decrypt(rx[IP])
396 self.assert_packet_checksums_valid(decrypted)
398 self.logger.debug(ppp("Unexpected packet:", rx))
401 self.logger.info(self.vapi.ppcli("show error"))
402 self.logger.info(self.vapi.ppcli("show ipsec"))
404 pkts = p.tra_sa_in.get_stats()['packets']
405 self.assertEqual(pkts, count,
406 "incorrect SA in counts: expected %d != %d" %
408 pkts = p.tra_sa_out.get_stats()['packets']
409 self.assertEqual(pkts, count,
410 "incorrect SA out counts: expected %d != %d" %
413 self.assert_packet_counter_equal(self.tra4_encrypt_node_name, count)
414 self.assert_packet_counter_equal(self.tra4_decrypt_node_name, count)
416 def test_tra_burst(self):
417 """ ipsec v4 transport burst test """
418 self.test_tra_basic(count=257)
421 class IpsecTra6Tests(object):
422 def test_tra_basic6(self, count=1):
423 """ ipsec v6 transport basic test """
424 self.vapi.cli("clear errors")
426 p = self.params[socket.AF_INET6]
427 send_pkts = self.gen_encrypt_pkts6(p.scapy_tra_sa, self.tra_if,
428 src=self.tra_if.remote_ip6,
429 dst=self.tra_if.local_ip6,
431 recv_pkts = self.send_and_expect(self.tra_if, send_pkts,
435 decrypted = p.vpp_tra_sa.decrypt(rx[IPv6])
436 self.assert_packet_checksums_valid(decrypted)
438 self.logger.debug(ppp("Unexpected packet:", rx))
441 self.logger.info(self.vapi.ppcli("show error"))
442 self.logger.info(self.vapi.ppcli("show ipsec"))
444 pkts = p.tra_sa_in.get_stats()['packets']
445 self.assertEqual(pkts, count,
446 "incorrect SA in counts: expected %d != %d" %
448 pkts = p.tra_sa_out.get_stats()['packets']
449 self.assertEqual(pkts, count,
450 "incorrect SA out counts: expected %d != %d" %
452 self.assert_packet_counter_equal(self.tra6_encrypt_node_name, count)
453 self.assert_packet_counter_equal(self.tra6_decrypt_node_name, count)
455 def test_tra_burst6(self):
456 """ ipsec v6 transport burst test """
457 self.test_tra_basic6(count=257)
460 class IpsecTra46Tests(IpsecTra4Tests, IpsecTra6Tests):
464 class IpsecTun4(object):
466 def verify_counters(self, p, count):
467 if (hasattr(p, "spd_policy_in_any")):
468 pkts = p.spd_policy_in_any.get_stats()['packets']
469 self.assertEqual(pkts, count,
470 "incorrect SPD any policy: expected %d != %d" %
473 if (hasattr(p, "tun_sa_in")):
474 pkts = p.tun_sa_in.get_stats()['packets']
475 self.assertEqual(pkts, count,
476 "incorrect SA in counts: expected %d != %d" %
478 pkts = p.tun_sa_out.get_stats()['packets']
479 self.assertEqual(pkts, count,
480 "incorrect SA out counts: expected %d != %d" %
483 self.assert_packet_counter_equal(self.tun4_encrypt_node_name, count)
484 self.assert_packet_counter_equal(self.tun4_decrypt_node_name, count)
486 def verify_decrypted(self, p, rxs):
488 self.assert_equal(rx[IP].src, p.remote_tun_if_host)
489 self.assert_equal(rx[IP].dst, self.pg1.remote_ip4)
490 self.assert_packet_checksums_valid(rx)
492 def verify_encrypted(self, p, sa, rxs):
496 decrypt_pkt = p.vpp_tun_sa.decrypt(rx[IP])
497 if not decrypt_pkt.haslayer(IP):
498 decrypt_pkt = IP(decrypt_pkt[Raw].load)
499 decrypt_pkts.append(decrypt_pkt)
500 self.assert_equal(decrypt_pkt.src, self.pg1.remote_ip4)
501 self.assert_equal(decrypt_pkt.dst, p.remote_tun_if_host)
503 self.logger.debug(ppp("Unexpected packet:", rx))
505 self.logger.debug(ppp("Decrypted packet:", decrypt_pkt))
509 pkts = reassemble4(decrypt_pkts)
511 self.assert_packet_checksums_valid(pkt)
513 def verify_tun_44(self, p, count=1, payload_size=64, n_rx=None):
514 self.vapi.cli("clear errors")
518 config_tun_params(p, self.encryption_type, self.tun_if)
519 send_pkts = self.gen_encrypt_pkts(p.scapy_tun_sa, self.tun_if,
520 src=p.remote_tun_if_host,
521 dst=self.pg1.remote_ip4,
523 recv_pkts = self.send_and_expect(self.tun_if, send_pkts, self.pg1)
524 self.verify_decrypted(p, recv_pkts)
526 send_pkts = self.gen_pkts(self.pg1, src=self.pg1.remote_ip4,
527 dst=p.remote_tun_if_host, count=count,
528 payload_size=payload_size)
529 recv_pkts = self.send_and_expect(self.pg1, send_pkts,
531 self.verify_encrypted(p, p.vpp_tun_sa, recv_pkts)
534 self.logger.info(self.vapi.ppcli("show error"))
535 self.logger.info(self.vapi.ppcli("show ipsec"))
537 self.verify_counters(p, count)
539 def verify_tun_64(self, p, count=1):
540 self.vapi.cli("clear errors")
542 config_tun_params(p, self.encryption_type, self.tun_if)
543 send_pkts = self.gen_encrypt_pkts6(p.scapy_tun_sa, self.tun_if,
544 src=p.remote_tun_if_host6,
545 dst=self.pg1.remote_ip6,
547 recv_pkts = self.send_and_expect(self.tun_if, send_pkts, self.pg1)
548 for recv_pkt in recv_pkts:
549 self.assert_equal(recv_pkt[IPv6].src, p.remote_tun_if_host6)
550 self.assert_equal(recv_pkt[IPv6].dst, self.pg1.remote_ip6)
551 self.assert_packet_checksums_valid(recv_pkt)
552 send_pkts = self.gen_pkts6(self.pg1, src=self.pg1.remote_ip6,
553 dst=p.remote_tun_if_host6, count=count)
554 recv_pkts = self.send_and_expect(self.pg1, send_pkts, self.tun_if)
555 for recv_pkt in recv_pkts:
557 decrypt_pkt = p.vpp_tun_sa.decrypt(recv_pkt[IP])
558 if not decrypt_pkt.haslayer(IPv6):
559 decrypt_pkt = IPv6(decrypt_pkt[Raw].load)
560 self.assert_equal(decrypt_pkt.src, self.pg1.remote_ip6)
561 self.assert_equal(decrypt_pkt.dst, p.remote_tun_if_host6)
562 self.assert_packet_checksums_valid(decrypt_pkt)
564 self.logger.error(ppp("Unexpected packet:", recv_pkt))
567 ppp("Decrypted packet:", decrypt_pkt))
572 self.logger.info(self.vapi.ppcli("show error"))
573 self.logger.info(self.vapi.ppcli("show ipsec"))
575 self.verify_counters(p, count)
578 class IpsecTun4Tests(IpsecTun4):
580 def test_tun_basic44(self):
581 """ ipsec 4o4 tunnel basic test """
582 self.verify_tun_44(self.params[socket.AF_INET], count=1)
584 def test_tun_burst44(self):
585 """ ipsec 4o4 tunnel burst test """
586 self.verify_tun_44(self.params[socket.AF_INET], count=257)
589 class IpsecTun6(object):
591 def verify_counters(self, p, count):
592 if (hasattr(p, "tun_sa_in")):
593 pkts = p.tun_sa_in.get_stats()['packets']
594 self.assertEqual(pkts, count,
595 "incorrect SA in counts: expected %d != %d" %
597 pkts = p.tun_sa_out.get_stats()['packets']
598 self.assertEqual(pkts, count,
599 "incorrect SA out counts: expected %d != %d" %
601 self.assert_packet_counter_equal(self.tun6_encrypt_node_name, count)
602 self.assert_packet_counter_equal(self.tun6_decrypt_node_name, count)
604 def verify_tun_66(self, p, count=1):
605 """ ipsec 6o6 tunnel basic test """
606 self.vapi.cli("clear errors")
608 config_tun_params(p, self.encryption_type, self.tun_if)
609 send_pkts = self.gen_encrypt_pkts6(p.scapy_tun_sa, self.tun_if,
610 src=p.remote_tun_if_host,
611 dst=self.pg1.remote_ip6,
613 recv_pkts = self.send_and_expect(self.tun_if, send_pkts, self.pg1)
614 for recv_pkt in recv_pkts:
615 self.assert_equal(recv_pkt[IPv6].src, p.remote_tun_if_host)
616 self.assert_equal(recv_pkt[IPv6].dst, self.pg1.remote_ip6)
617 self.assert_packet_checksums_valid(recv_pkt)
618 send_pkts = self.gen_pkts6(self.pg1, src=self.pg1.remote_ip6,
619 dst=p.remote_tun_if_host,
621 recv_pkts = self.send_and_expect(self.pg1, send_pkts, self.tun_if)
622 for recv_pkt in recv_pkts:
624 decrypt_pkt = p.vpp_tun_sa.decrypt(recv_pkt[IPv6])
625 if not decrypt_pkt.haslayer(IPv6):
626 decrypt_pkt = IPv6(decrypt_pkt[Raw].load)
627 self.assert_equal(decrypt_pkt.src, self.pg1.remote_ip6)
628 self.assert_equal(decrypt_pkt.dst, p.remote_tun_if_host)
629 self.assert_packet_checksums_valid(decrypt_pkt)
631 self.logger.debug(ppp("Unexpected packet:", recv_pkt))
634 ppp("Decrypted packet:", decrypt_pkt))
639 self.logger.info(self.vapi.ppcli("show error"))
640 self.logger.info(self.vapi.ppcli("show ipsec"))
641 self.verify_counters(p, count)
643 def verify_tun_46(self, p, count=1):
644 """ ipsec 4o6 tunnel basic test """
645 self.vapi.cli("clear errors")
647 config_tun_params(p, self.encryption_type, self.tun_if)
648 send_pkts = self.gen_encrypt_pkts(p.scapy_tun_sa, self.tun_if,
649 src=p.remote_tun_if_host4,
650 dst=self.pg1.remote_ip4,
652 recv_pkts = self.send_and_expect(self.tun_if, send_pkts, self.pg1)
653 for recv_pkt in recv_pkts:
654 self.assert_equal(recv_pkt[IP].src, p.remote_tun_if_host4)
655 self.assert_equal(recv_pkt[IP].dst, self.pg1.remote_ip4)
656 self.assert_packet_checksums_valid(recv_pkt)
657 send_pkts = self.gen_pkts(self.pg1, src=self.pg1.remote_ip4,
658 dst=p.remote_tun_if_host4,
660 recv_pkts = self.send_and_expect(self.pg1, send_pkts, self.tun_if)
661 for recv_pkt in recv_pkts:
663 decrypt_pkt = p.vpp_tun_sa.decrypt(recv_pkt[IPv6])
664 if not decrypt_pkt.haslayer(IP):
665 decrypt_pkt = IP(decrypt_pkt[Raw].load)
666 self.assert_equal(decrypt_pkt.src, self.pg1.remote_ip4)
667 self.assert_equal(decrypt_pkt.dst, p.remote_tun_if_host4)
668 self.assert_packet_checksums_valid(decrypt_pkt)
670 self.logger.debug(ppp("Unexpected packet:", recv_pkt))
672 self.logger.debug(ppp("Decrypted packet:",
678 self.logger.info(self.vapi.ppcli("show error"))
679 self.logger.info(self.vapi.ppcli("show ipsec"))
680 self.verify_counters(p, count)
683 class IpsecTun6Tests(IpsecTun6):
685 def test_tun_basic66(self):
686 """ ipsec 6o6 tunnel basic test """
687 self.verify_tun_66(self.params[socket.AF_INET6], count=1)
689 def test_tun_burst66(self):
690 """ ipsec 6o6 tunnel burst test """
691 self.verify_tun_66(self.params[socket.AF_INET6], count=257)
694 class IpsecTun46Tests(IpsecTun4Tests, IpsecTun6Tests):
698 if __name__ == '__main__':
699 unittest.main(testRunner=VppTestRunner)
Code Review / vpp.git / blob